Of late, I have been visiting some sites like Yelp. I noticed that even though I did not explicitly log into the site using "Facebook Login" button, it automatically logs in using that profile. (I have may sometime earlier given it permission to do so.) Even though it is a different site, how is it able to pick up the Facebook login data from a different cookie?

2 Answers
2

They use Facebook's JS library to authenticate and use the available data to sign in to their website. The cookie is not shared. Sites like Yelp may use the data provided by the JS library to create new session/cookies and use that to detect if you've accessed that site later on. More details can be found in Facebook's documentation.

This is the same feature which they provide in their Mobile SDK as Single Sign On or SSO (Don't know if they use the same name for the web-login too). The site which is already authenticated by the user to use facebook as a login, will either put the login authentication code on a button click event or in their page load event. The site queries the Facebook api for the login info and if you are logged in to faceook already, they authenticate the requests and provides the login info.

It just happens in seconds, so you might see it as if they are using the facebook cookies while they have no direct access to it.

PS: Sorry for the technical explanation, but that's all I can provide.